We researched how hackable building automation systems are in Sacramento and the results are surprising!
By: Zach Denning
I’d like to preface this article by stating that during our research we reached out to every building owner that had vulnerabilities with details of information we discovered – All without cost to them and without the expectation of future work.
At no time did we attempt to login or ‘hack’ a building automation system – We simply tested these networks for vulnerabilities easily exploited by hackers.
It’s our initiative to secure sites where our HVAC Partners implement our software platform while educating owners of vulnerabilities relating to building automation.
“My HVAC contractor told me that if he has remote access to our building service calls are half-priced. All we have to do is connect our building automation system to the Internet and we can save hundreds every month!”
And just like that your office building is now part of the ‘low-hanging fruit’ every hacker dreams of getting access to. But it’s just your HVAC system. All they can do is turn the temperature up and down, right? Wrong.
At least 65% of all building automation systems are connected into existing building infrastructures via hardwired, Ethernet connection. Unfortunately, most offices don’t properly segregate the building automation from the same network as their tenants (Typically done through a VLAN or virtual separation of physically connected networks) as it’s costly to setup and maintain.
Meaning a virus enters your network via the building automation and can jump or ‘springboard’ from tenant-to-tenant at will – Return vital information back to its host (Account numbers, logins, credit card numbers, etc.) like the Target hack. But you’ve been told your building automation is secure – You’re behind a firewall – It’s only Bacnet – This will never happen to you – Wrong!
We researched how secure building automation systems were in Sacramento and found –
There are +300-different building automation systems openly exposed to the Internet without a firewall.
Of the 82 systems tested, we found 18 had default admin user credentials where there was an ability to login to the automation system and get full access to override the system, change setpoints, schedules, etc. More importantly, admin permissions included unrestricted access to the file transfer protocol features which is pivotal for – You guessed it – Uploading a virus!
114-different building automation systems behind a secure firewall with the Bacnet IP port (UDP:47808) exposed.
Despite being open to the Internet, the building automation systems at these sites were nested behind extremely capable firewalls. Unbeknownst to the building owner though, the HVAC contractor had accidently enabled the Bacnet IP traffic on their front-end hardware – Enabling full access to all control setpoints and the ability to springboard viruses onto their network.
Wait, I thought Bacnet IP could only be used for HVAC-related data? Wrong again.
Bacnet IP is a communication protocol built on the foundation of HVAC communications with one slight caveat – It allows for open file transfer! In developing our Bacnet driver, we discovered that most Bacnet IP-enabled devices will accept a file transferred from our IP-device if it matches a certain criterion of name, type, size, etc.
All a hacker has to do to upload a virus to your building is –
Scan the building automation system for file types
Create a new file with one of the discovered types and infect it with a virus payload
Send the file to the building automation device
Even when the device rejects the new file, the originator can keep changing file types until one is accepted (i.e. – configuration files, history files, etc.). From there the virus springboards to every connected device on its network – Infecting as many files as possible, collecting information and reporting everything back to the host.
So how do you prevent hackers from getting into your network?
Check out Part: II of this post next week to learn more and see how much it costs to not secure yourself!
My name is Zach Denning and I’m the CEO and owner of EnerDapt, Inc. We’ve developed an HVAC AI software platform that strengthens relationships between service providers and property management, while reducing operating costs 18-22%. You can reach me at firstname.lastname@example.org or visit our website at www.enerdapt.com